Verifying the Tar Archive File - Creating and Verifying Tar Archives with Embedded GPG Signatures

Next: Verifying the Unpacked Archive, Up: Verifying the Distribution

4.1 Verifying the Tar Archive File

The swverify verifies the package in memory without installing the package in file system. If a package is signed, it will have the following files:

     <path>/catalog/
     <path>/catalog/INDEX
     ...
     <path>/catalog/<dfiles>/md5sum
     <path>/catalog/<dfiles>/sha1sum
     <path>/catalog/<dfiles>/sig_header
     <path>/catalog/<dfiles>/signature
     ...

For example:

     swverify -d  @- <somepackage-1.0.tar.gz
         # - or -
     swverify <somepackage-1.0.tar.gz